US9444629B2 - Dual layer transport security configuration - Google Patents
Dual layer transport security configuration Download PDFInfo
- Publication number
- US9444629B2 US9444629B2 US13/902,442 US201313902442A US9444629B2 US 9444629 B2 US9444629 B2 US 9444629B2 US 201313902442 A US201313902442 A US 201313902442A US 9444629 B2 US9444629 B2 US 9444629B2
- Authority
- US
- United States
- Prior art keywords
- layer
- data transmission
- computer
- authentication
- landscape
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active, expires
Links
- 239000002355 dual-layer Substances 0.000 title description 7
- 230000005540 biological transmission Effects 0.000 claims abstract description 72
- 238000000034 method Methods 0.000 claims description 9
- 230000008520 organization Effects 0.000 claims description 5
- 230000026676 system process Effects 0.000 abstract 1
- 239000010410 layer Substances 0.000 description 26
- 239000002365 multiple layer Substances 0.000 description 5
- 238000010586 diagram Methods 0.000 description 3
- 230000007423 decrease Effects 0.000 description 1
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3263—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving certificates, e.g. public key certificate [PKC] or attribute certificate [AC]; Public key infrastructure [PKI] arrangements
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0823—Network architectures or network communication protocols for network security for authentication of entities using certificates
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/083—Network architectures or network communication protocols for network security for authentication of entities using passwords
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3226—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using a predetermined code, e.g. password, passphrase or PIN
Definitions
- the present disclosure relates to a system and method for a dual layer transport security configuration.
- HTTPS Hypertext Transport Protocol Secure
- SSL Secure Sockets Layer
- client certificate authentication or a basic authentication as are supported by standard security structures. While such authentication is secure, the structures involved in the authentication do not offer multiple layers of security, especially during critical information transmission. In such situations, integrating parties may also feel the need to consider additional security software, hardware, and/or configurations to ensure the integrity of the critical information and ensure protection from hackers.
- FIG. 1 is a block diagram illustrating an example embodiment of a dual layer transport security configuration.
- FIGS. 2A and 2B are block diagrams illustrating steps and features of an example embodiment of a dual layer transport security configuration.
- An embodiment relates to securing data transmissions through multiple layers of a computer system landscape.
- the multiple layers of security ensure that in the event of a single party being blocked from sending a message to another party, the message can be rejected at a basic network layer rather than being rejected further into the landscape at an application layer or application program interface (API) layer.
- API application program interface
- An embodiment includes the general security concept of HTTPS SSL authentication between a server and a client or any two computer processors or systems.
- the authentication uses a client certificate authentication and a basic authentication.
- the dual-layered security structure i.e., client certificate authentication and basic authentication
- This embodiment is a collaboration of these individual security concepts on the transport layers for communication across different integrated landscapes using the above mentioned systems, protocols, and security structure.
- An embodiment provides additional leverage to any business organization to secure its computer system landscape on multiple layers, during multiple periods, on multiple devices, and on multiple systems of any communication during any outbound or inbound scenarios.
- the multiple-layer security configuration not only strengthens the security domain of any organization, but also provides the feasibility to incorporate the security structure at multiple network components at the same time, which makes this embodiment robust and secure, especially for transmission of confidential data such as banking payment information data.
- the embodiment also leverages incorrect information by rejecting the incorrect information after being checked at a basic network landscape level, and not checking or re-checking this incorrect information deeper into the landscape at the application level. This technique reduces application layer network traffic and makes the embodiment much more stable, robust and concrete.
- the load balancer 131 determines that the data transmission cannot be authenticated by the client certificate authentication, then the load balancer 131 prevents the data transmission from being transmitted to the first computer processor on the application layer via the bank payment interface 132 ( 215 ). However, if the first load balancer 131 determines that the data transmission can be authenticated by the client certificate authentication, the first load balancer 131 transmits the data through the bank payment interface 132 to the application layer of the first computer processor ( 220 ).
- the data from the first computer processor is transmitted to the network layer of the third computer processor 134 .
- the incoming data is verified at the second load balancer 133 using the client certificate authentication. If the second load balancer 133 determines the data transmission cannot be authenticated by the client certificate ( 230 ), then the load balancer 133 prevents the data transmission to the third computer processor. If the second load balancer 133 authenticates the client certificate, then the second load balancer 133 transmits the data to the application layer of the third computer processor. If the third computer processor 134 verifies the basic authentication ( 225 , 235 ), the information that was originally sent from the second computer processor is processed by the third computer processor 134 .
- the system of FIG. 1 can block traffic at the network layer and reduce network traffic that enters into the application layer.
- the configuration decreases the load on the first computer processor and results in an improved performance of message communication and processing. This improved performance is evident especially in connection with large messages in the first computer processor and the data transmission.
- a party representing the second computer processor being blocked from data transmission to the first computer processor, instead of rejection at the API layer where data may be processed for further communication, it can be rejected at the network layer.
- a business process may not need any additional infrastructure/application to enhance the security of this process in agreement with the criticality to the information flow.
- the client certificate authentication involves an authentication for a particular client ( 240 ). In most cases, this involves a client certificate that was previously electronically signed by the party receiving the data transmission ( 245 ). The party receiving this transmission then knows via the previously signed certificate that the data transmission is from the particular client and is therefore authentic.
- the client normally includes a plurality of users, such as a business organization that has a plurality of employees ( 242 ).
- FIG. 2B illustrates that the user-based authentication can include an authentication for a particular individual user ( 250 ).
- the particular individual user is normally associated with a particular client.
- the user-based authentication can include a user-name and password.
- the data transmission from the second computer processor can be a payment instruction transmission.
- the processing of the data at the second layer includes sending an acknowledgment from the first computer processor to the second computer processor acknowledging that the first computer processor has received the data transmission.
- a third computer processor is present, and the first computer processor transmits the payment instruction transmission to the third computer processor for processing by the third computer processor.
- a dual layer transport security configuration includes a computer landscape that is a multi-layer network ( 265 ), a data transmission network that includes an Internet-based service ( 270 ), a first layer of the computer landscape that includes a network layer ( 275 ), and a second layer of the computer landscape that includes an application layer ( 280 ).
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
Description
Claims (10)
Priority Applications (2)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
US13/902,442 US9444629B2 (en) | 2013-05-24 | 2013-05-24 | Dual layer transport security configuration |
US15/066,349 US9544152B2 (en) | 2013-05-24 | 2016-03-10 | Dual layer transport security configuration |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
US13/902,442 US9444629B2 (en) | 2013-05-24 | 2013-05-24 | Dual layer transport security configuration |
Related Child Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
US15/066,349 Continuation US9544152B2 (en) | 2013-05-24 | 2016-03-10 | Dual layer transport security configuration |
Publications (2)
Publication Number | Publication Date |
---|---|
US20140351577A1 US20140351577A1 (en) | 2014-11-27 |
US9444629B2 true US9444629B2 (en) | 2016-09-13 |
Family
ID=51936208
Family Applications (2)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
US13/902,442 Active 2033-08-12 US9444629B2 (en) | 2013-05-24 | 2013-05-24 | Dual layer transport security configuration |
US15/066,349 Active US9544152B2 (en) | 2013-05-24 | 2016-03-10 | Dual layer transport security configuration |
Family Applications After (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
US15/066,349 Active US9544152B2 (en) | 2013-05-24 | 2016-03-10 | Dual layer transport security configuration |
Country Status (1)
Country | Link |
---|---|
US (2) | US9444629B2 (en) |
Families Citing this family (7)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US9137234B2 (en) * | 2012-03-23 | 2015-09-15 | Cloudpath Networks, Inc. | System and method for providing a certificate based on granted permissions |
US9444629B2 (en) | 2013-05-24 | 2016-09-13 | Sap Se | Dual layer transport security configuration |
US10320842B1 (en) * | 2017-03-24 | 2019-06-11 | Symantec Corporation | Securely sharing a transport layer security session with one or more trusted devices |
US10558653B2 (en) | 2017-06-07 | 2020-02-11 | Sap Se | Dynamic, variable-data attribute data service |
US11303633B1 (en) | 2017-08-09 | 2022-04-12 | Sailpoint Technologies, Inc. | Identity security gateway agent |
US11240240B1 (en) * | 2017-08-09 | 2022-02-01 | Sailpoint Technologies, Inc. | Identity defined secure connect |
US10911433B1 (en) * | 2017-09-27 | 2021-02-02 | Amazon Technologies, Inc. | Network traffic distribution using certificate scanning in agent-based architecture |
Citations (17)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US6324648B1 (en) | 1999-12-14 | 2001-11-27 | Gte Service Corporation | Secure gateway having user identification and password authentication |
EP1601153A2 (en) | 2004-05-28 | 2005-11-30 | Sap Ag | Client authentication using a challenge provider |
US20060173793A1 (en) * | 2005-01-13 | 2006-08-03 | Glass Paul H | System and method for verifying the age and identity of individuals and limiting their access to appropriate material and situations |
US7269732B2 (en) | 2003-06-05 | 2007-09-11 | Sap Aktiengesellschaft | Securing access to an application service based on a proximity token |
US7451308B2 (en) | 2004-10-12 | 2008-11-11 | Sap Ag | Method and system to automatically evaluate a participant in a trust management infrastructure |
US7661131B1 (en) | 2005-02-03 | 2010-02-09 | Sun Microsystems, Inc. | Authentication of tunneled connections |
US7770012B2 (en) | 2001-02-14 | 2010-08-03 | International Business Machines Corporation | System and computer program product for secure authentication using digital certificates |
US7900240B2 (en) | 2003-05-28 | 2011-03-01 | Citrix Systems, Inc. | Multilayer access control security system |
US8181262B2 (en) | 2005-07-20 | 2012-05-15 | Verimatrix, Inc. | Network user authentication system and method |
US8225096B2 (en) | 2006-10-27 | 2012-07-17 | International Business Machines Corporation | System, apparatus, method, and program product for authenticating communication partner using electronic certificate containing personal information |
US20120260330A1 (en) | 2011-04-05 | 2012-10-11 | Sap Ag | User authentication for intermediate representational state transfer (rest) client via certificate authority |
US20120290833A1 (en) | 2011-05-12 | 2012-11-15 | Sybase, Inc. | Certificate Blobs for Single Sign On |
US8346929B1 (en) | 2003-08-18 | 2013-01-01 | Oracle America, Inc. | System and method for generating secure Web service architectures using a Web Services security assessment methodology |
US8429734B2 (en) | 2007-07-31 | 2013-04-23 | Symantec Corporation | Method for detecting DNS redirects or fraudulent local certificates for SSL sites in pharming/phishing schemes by remote validation and using a credential manager and recorded certificate attributes |
US20130246280A1 (en) * | 2012-03-12 | 2013-09-19 | OneID, Inc. | Secure digital invoice processing |
US20140047510A1 (en) * | 2012-08-13 | 2014-02-13 | Wells Fargo, N.A. | Wireless multi-factor authentication with captive portals |
US20140096207A1 (en) * | 2012-09-28 | 2014-04-03 | Avaya Inc. | Layer 7 authentication using layer 2 or layer 3 authentication |
Family Cites Families (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
WO1999060482A1 (en) * | 1998-05-21 | 1999-11-25 | Equifax Inc. | System and method for authentication of network users and issuing a digital certificate |
US8020199B2 (en) * | 2001-02-14 | 2011-09-13 | 5th Fleet, L.L.C. | Single sign-on system, method, and access device |
US9444629B2 (en) | 2013-05-24 | 2016-09-13 | Sap Se | Dual layer transport security configuration |
-
2013
- 2013-05-24 US US13/902,442 patent/US9444629B2/en active Active
-
2016
- 2016-03-10 US US15/066,349 patent/US9544152B2/en active Active
Patent Citations (18)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US6324648B1 (en) | 1999-12-14 | 2001-11-27 | Gte Service Corporation | Secure gateway having user identification and password authentication |
US7770011B2 (en) | 2001-02-14 | 2010-08-03 | International Business Machines Corporation | Secure authentication using digital certificates with individual authentication data |
US7770012B2 (en) | 2001-02-14 | 2010-08-03 | International Business Machines Corporation | System and computer program product for secure authentication using digital certificates |
US7900240B2 (en) | 2003-05-28 | 2011-03-01 | Citrix Systems, Inc. | Multilayer access control security system |
US7269732B2 (en) | 2003-06-05 | 2007-09-11 | Sap Aktiengesellschaft | Securing access to an application service based on a proximity token |
US8346929B1 (en) | 2003-08-18 | 2013-01-01 | Oracle America, Inc. | System and method for generating secure Web service architectures using a Web Services security assessment methodology |
EP1601153A2 (en) | 2004-05-28 | 2005-11-30 | Sap Ag | Client authentication using a challenge provider |
US7451308B2 (en) | 2004-10-12 | 2008-11-11 | Sap Ag | Method and system to automatically evaluate a participant in a trust management infrastructure |
US20060173793A1 (en) * | 2005-01-13 | 2006-08-03 | Glass Paul H | System and method for verifying the age and identity of individuals and limiting their access to appropriate material and situations |
US7661131B1 (en) | 2005-02-03 | 2010-02-09 | Sun Microsystems, Inc. | Authentication of tunneled connections |
US8181262B2 (en) | 2005-07-20 | 2012-05-15 | Verimatrix, Inc. | Network user authentication system and method |
US8225096B2 (en) | 2006-10-27 | 2012-07-17 | International Business Machines Corporation | System, apparatus, method, and program product for authenticating communication partner using electronic certificate containing personal information |
US8429734B2 (en) | 2007-07-31 | 2013-04-23 | Symantec Corporation | Method for detecting DNS redirects or fraudulent local certificates for SSL sites in pharming/phishing schemes by remote validation and using a credential manager and recorded certificate attributes |
US20120260330A1 (en) | 2011-04-05 | 2012-10-11 | Sap Ag | User authentication for intermediate representational state transfer (rest) client via certificate authority |
US20120290833A1 (en) | 2011-05-12 | 2012-11-15 | Sybase, Inc. | Certificate Blobs for Single Sign On |
US20130246280A1 (en) * | 2012-03-12 | 2013-09-19 | OneID, Inc. | Secure digital invoice processing |
US20140047510A1 (en) * | 2012-08-13 | 2014-02-13 | Wells Fargo, N.A. | Wireless multi-factor authentication with captive portals |
US20140096207A1 (en) * | 2012-09-28 | 2014-04-03 | Avaya Inc. | Layer 7 authentication using layer 2 or layer 3 authentication |
Non-Patent Citations (2)
Title |
---|
Sathyan, Jithesh, et al., "Multi-Layered Collaborative Approach to Address Enterprise Mobile Security Challenges", Advances in E-Activities, Information Security and Privacy, (2010), 47-52. |
U.S. Appl. No. 15/066,349, Preliminary Amendment filed Mar. 11, 2016, 7 pgs. |
Also Published As
Publication number | Publication date |
---|---|
US9544152B2 (en) | 2017-01-10 |
US20160191502A1 (en) | 2016-06-30 |
US20140351577A1 (en) | 2014-11-27 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
US9544152B2 (en) | Dual layer transport security configuration | |
US10085150B2 (en) | Authenticating mobile applications using policy files | |
US11122047B2 (en) | Invitation links with enhanced protection | |
US20180219862A1 (en) | Actively federated mobile authentication | |
US9369286B2 (en) | System and methods for facilitating authentication of an electronic device accessing plurality of mobile applications | |
Feng et al. | Analysis of integrity vulnerabilities and a non-repudiation protocol for cloud data storage platforms | |
US12034715B2 (en) | System and method for cloud-based analytics | |
US10206099B1 (en) | Geolocation-based two-factor authentication | |
US20120240203A1 (en) | Method and apparatus for enhancing online transaction security via secondary confirmation | |
WO2013156531A1 (en) | Secure password-based authentication for cloud computing services | |
CN112491776A (en) | Security authentication method and related equipment | |
US10834074B2 (en) | Phishing attack prevention for OAuth applications | |
US10044735B2 (en) | System and method for authentication of electronic communications | |
US9948648B1 (en) | System and method for enforcing access control to publicly-accessible web applications | |
CN103379093A (en) | Method and device for achieving account intercommunication | |
CN102510336A (en) | Security certification system or method | |
US11469905B2 (en) | Device and method for processing public key of user in communication system that includes a plurality of nodes | |
US10110582B2 (en) | Dual token based authentication and transport mechanism | |
US20230188345A1 (en) | System and methods for interactive document sharing and authentication with privacy guarantee | |
JP2010066886A (en) | Falsification instruction execution prevention technology using a plurality of terminals | |
CN113032761A (en) | Securing remote authentication | |
US10708301B2 (en) | Method of, and apparatus for, secure online electronic communication | |
WO2017128044A1 (en) | User identity authentication method and server | |
KR20150104667A (en) | Authentication method | |
CN115174200B (en) | Third party authentication method, device and equipment |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
AS | Assignment |
Owner name: SAP AG, GERMANY Free format text: ASSIGNMENT OF ASSIGNORS INTEREST;ASSIGNOR:VISHAL, VIVEK;REEL/FRAME:030484/0883 Effective date: 20130514 |
|
AS | Assignment |
Owner name: SAP SE, GERMANY Free format text: CHANGE OF NAME;ASSIGNOR:SAP AG;REEL/FRAME:033625/0223 Effective date: 20140707 |
|
FEPP | Fee payment procedure |
Free format text: PAYOR NUMBER ASSIGNED (ORIGINAL EVENT CODE: ASPN); ENTITY STATUS OF PATENT OWNER: LARGE ENTITY |
|
STCF | Information on status: patent grant |
Free format text: PATENTED CASE |
|
FEPP | Fee payment procedure |
Free format text: PAYER NUMBER DE-ASSIGNED (ORIGINAL EVENT CODE: RMPN); ENTITY STATUS OF PATENT OWNER: LARGE ENTITY Free format text: PAYOR NUMBER ASSIGNED (ORIGINAL EVENT CODE: ASPN); ENTITY STATUS OF PATENT OWNER: LARGE ENTITY |
|
MAFP | Maintenance fee payment |
Free format text: PAYMENT OF MAINTENANCE FEE, 4TH YEAR, LARGE ENTITY (ORIGINAL EVENT CODE: M1551); ENTITY STATUS OF PATENT OWNER: LARGE ENTITY Year of fee payment: 4 |
|
MAFP | Maintenance fee payment |
Free format text: PAYMENT OF MAINTENANCE FEE, 8TH YEAR, LARGE ENTITY (ORIGINAL EVENT CODE: M1552); ENTITY STATUS OF PATENT OWNER: LARGE ENTITY Year of fee payment: 8 |